Reining in Outsourcing Risk

Exporting business processes raises the potential for trouble, but companies can do much to reduce the threats.

As business process outsourcing (BPO) has taken off in recent years, so have concerns over the risks that come with it — everything from isolated instances of identity theft to large-scale disasters that could seriously disrupt operations. Corporations and their customers are extremely sensitive to data security breaches — so much so that a solitary incident could unleash a ruinous chain reaction, like the one experienced by third-party payment processor CardSystems Solutions in 2005. In June, an estimated 40 million credit and debit card numbers were stolen from CardSystems’ Tucson offices. As a result, Visa and American Express canceled their contracts with the company, and MasterCard insisted on new security guidelines. CardSystems CEO John Perry told a congressional committee investigating the incident that the company “is being driven out of business” by departing customers. Finally, in October, CardSystems was acquired by Pay By Touch, a San Francisco–based provider of biometric authentication and payment systems.

This incident is only one in a rash of security breaches at third-party contractors in 2005:

In February, ChoicePoint, a major provider of identification- and credential-verification services based in Alpharetta, Ga., sold the personal data of some 145,000 individuals to criminals posing as small firms. The company later said it would “discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver’s license numbers, except where there is a specific consumer-driven transaction or benefit” or a law enforcement purpose.

In April, several employees at BPO firm mPhasis in Bangalore, India, were caught using client passwords to fraudulently withdraw funds from the New York accounts of Citibank customers.

In June, an employee at BPO firm Infinity e-Systems in New Delhi sold the account numbers and passwords of 1,000 bank customers to a reporter from the British tabloid The Sun for $5,000. (The names of the breached banks were not disclosed.)

And most recently, on November 12, four former employees of Indian call center operator Parsec Technologies were arrested for allegedly stealing classified information. Parsec services housing mortgage originators in the U.S., and the ex-employees had diverted the contact information of potential mortgage finance customers to a firm they had set up called Telequest Systems, which in turn passed the information on to other call centers. The scandal came to light when there was a sudden drop in the productivity of call centers hired by Parsec.

Paul Fielding, program director at Booz Allen Hamilton in Dallas whose specialty is international outsourcing and offshore relationships with financial institutions globally, says the risks are nothing new. The moment work goes “outside your four walls,” he notes, the potential for risk rises: “Once you do a transaction and open yourself to the Internet, the ether of that Internet flows around the whole globe.” Jon Watts, a principal with Booz Allen in New York City who specializes in technology strategy, notes that one of the reasons outsourcing carries such a high degree of risk is that “the companies themselves are one layer removed from being able to control the transparency of what is happening.”

The moment work goes “outside your four walls,” the potential for risk rises.

Fearing loss of control, outsourcers have begun asking their service providers to incorporate tighter checks and balances in their work processes to secure data privacy and prevent fraud, say experts at Booz Allen and the University of Pennsylvania’s Wharton School, as well as others who closely track the BPO sphere. BPO clients are making it a priority to transplant their “best practices” to their outsourcing service providers, complete with documentation requirements and periodic audits. In addition, some companies are employing new tracking systems that enable them to monitor their BPO assignments in real time. BPO providers, meanwhile, are performing more stringent background checks on employees and, in the case of some larger BPO firms, are instituting zero-tolerance policies for security violations and underperformance. Pressure is also mounting on governments in BPO destinations like India to tighten privacy and intellectual property laws, and also to step up law enforcement.

Articles published in strategy+business do not necessarily represent the views of PwC Strategy& LLC or any other member firm of the PwC network. Reviews and mentions of publications, products, or services do not constitute endorsement or recommendation for purchase.